skip to main content

Title: Toward live inter-domain network services on the ExoGENI testbed
A key dimension of reproducibility in testbeds is stable performance that scales in regular and predictable ways in accordance with declarative specifications for virtual resources. We contend that reproducibility is crucial for elastic performance control in live experiments, in which testbed tenants (slices) provide services for real user traffic that varies over time. This paper gives an overview of ExoPlex, a framework for deploying network service providers (NSPs) as a basis for live inter-domain networking experiments on the ExoGENI testbed. As a motivating example, we show how to use ExoPlex to implement a virtual software-defined exchange (vSDX) as a tenant NSP. The vSDX implements security-managed interconnection of customer IP networks that peer with it via direct L2 links stitched dynamically into its slice. An elastic controller outside of the vSDX slice provisions network links and computing capacity for a scalable monitoring fabric within the tenant vSDX slice. The vSDX checks compliance of traffic flows with customer-specified interconnection policies, and blocks traffic from senders that trigger configured rules for intrusion detection in Bro security monitors. We present initial results showing the effect of resource provisioning on Bro performance within the vSDX.
; ; ; ; ; ; ; ;
Award ID(s):
Publication Date:
Journal Name:
IEEE INFOCOM 2018 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)
Page Range or eLocation-ID:
772 to 777
Sponsoring Org:
National Science Foundation
More Like this
  1. This paper focuses on optimizing resource allocation amongst a set of tenants, network slices, supporting dynamic customer loads over a set of distributed resources, e.g., base stations. The aim is to reap the benefits of statistical multiplexing resulting from flexible sharing of ‘pooled’ resources, while enabling tenants to differentiate and protect their performance from one another’s load fluctuations. To that end we consider a setting where resources are grouped into Virtual Resource Pools (VRPs) wherein resource allocation is jointly and dynam- ically managed. Specifically for each VRP we adopt a Share- Constrained Proportionally Fair (SCPF) allocation scheme where each tenant is allocated a fixed share (budget). This budget is to be distributed equally amongst its active customers which in turn are granted fractions of their associated VRP resources in proportion to customer shares. For a VRP with a single resource, this translates to the well known Generalized Processor Sharing (GPS) policy. For VRPs with multiple resources SCPF provides a flexible means to achieve load elastic allocations across tenants sharing the pool. Given tenants’ per resource shares and expected loads, this paper formulates the problem of determining optimal VRP partitions which maximize the overall expected shared weighted utility while ensuring protectionmore »guarantees. For a high load/capacity setting we exhibit this network utility function explicitly, quantifying the benefits and penalties of any VRP partition, in terms of network slices’ ability to achieve performance differentiation, load balancing, and statistical multiplexing. Although the problem is shown to be NP-Hard, a simple greedy heuristic is shown to be effective. Analysis and simulations confirm that the selection of optimal VRP partitions provide a practical avenue towards improving network utility in network slicing scenarios with dynamic loads.« less
  2. Core-Stateless Fair Queueing (CSFQ) is a scalable algorithm proposed more than two decades ago to achieve fair queueing without keeping per-flow state in the network. Unfortunately, CSFQ did not take off, in part because it required protocol changes (i.e., adding new fields to the packet header), and hardware support to process packets at line rate. In this paper, we argue that two emerging trends are making CSFQ relevant again: (1) cloud computing which makes it feasible to change the protocol within the same datacenter or across datacenters owned by the same provider, and (2) programmable switches which can implement sophisticated packet processing at line rate. To this end, we present the first realization of CSFQ using programmable switches. In addition, we generalize CSFQ to a multi-level hierarchy, which naturally captures the traffic in today's datacenters, e.g., tenants at the first level and flows of each tenant at the second level of the hierarchy. We call this scheduler Hierarchical Core-Stateless Fair Queueing (HCSFQ), and show that it is able to accurately approximate hierarchical fair queueing. HCSFQ is highly scalable: it uses just a single FIFO queue, does not perform per-packet scheduling, and only needs to maintain state for the interior nodesmore »of the hierarchy. We present analytical results to prove the lower bounds of HCSFQ. Our testbed experiments and large-scale simulations show that CSFQ and HCSFQ can provide fair bandwidth allocation and ensure isolation.« less
  3. The transformation of innovative research ideas to production systems is highly dependent on the capability of performing realistic and reproducible network experiments. In this work, we present a network testbed consisting of container-based network emulation and physical devices to advocate high fidelity and reproducible networking experiments. The testbed integrates network emulators (Mininet), a distributed control environment (ONOS), and physical switches (Pica8). The testbed (1) offers functional fidelity through unmodified code execution in emulated networks, (2) supports large-scale network experiments using lightweight OS-level virtualization techniques and capable of running across distributed physical machines, (3) provides the topology flexibility, and (4) enhances the repeatability and reproducibility of network experiments. We validate the testbed fidelity through extensive experiments under different network conditions (e.g., varying topology and traffic pattern). We also use the testbed to reproduce key results from published network experiments, such as Hedera, a scalable and adaptive network traffic flow scheduling system.
  4. The high reliability required by many future-generation network services can be enforced by proper resource assignments by means of logical partitions, i.e., network slices, applied in optical metro-aggregation networks. Different strategies can be applied to deploy the virtual network functions (VNFs) composing the slices over physical nodes, while providing different levels of resource isolation (among slices) and protection against failures, based on several available techniques. Considering that, in optical metro-aggregation networks, protection can be ensured at different layers, and the slice protection with traffic grooming calls for evolved multilayer protection approaches. In this paper, we investigate the problem of reliable slicing with protection at the lightpath layer for different levels of slice isolation and different VNF deployment strategies. We model the problem through an integer linear program (ILP), and we devise a heuristic for joint optimization of VNF placement and ligthpath selection. The heuristic maps nodes and links over the physical network in a coordinated manner and provides an effective placement of radio access network functions and the routing and wavelength assignment for the optical layer. The effectiveness of the proposed heuristic is validated by comparison with the optimal solution provided by the ILP. Our illustrative numerical results compare the impactmore »of different levels of isolation, showing that higher levels of network and VNF isolation are characterized by higher costs in terms of optical and computation resources.

    « less
  5. BGP is a gaping security hole in today's Internet, as evidenced by numerous Internet outages and blackouts, repeated traffic hijacking, and surveillance incidents. Yet, despite Herculean efforts, ubiquitous deployment of the Resource Public Key Infrastructure (RPKI), designed to protect against prefix hijacking attacks, remains distant, due to RPKI's manual and error-prone certification process. We argue that deploying origin authentication at scale requires substituting the standard requirement of certifying legal ownership of IP address blocks with the goal of certifying de facto ownership. We show that settling for de facto ownership is sufficient for protecting against hazardous prefix hijacking and can be accomplished without requiring any changes to today's routing infrastructure. We present APKI, a readily deployable system that automatically certifies de facto ownership and generates the appropriate BGP-path-filtering rules at routers. We evaluate APKI's security and deployability via live experiments on the Internet using a prototype implementation of APKI and through simulations on empirically-derived datasets. To facilitate the reproducibility of our results, we open source our prototype, simulator, and measurement analysis code.